Hi all,
especially with respect to the JBoss SAR, but also in conjunction with
other kinds of deployment, I think it is rather unfortunate to require
the super-user password to be supplied in the startup configuration.
With the SAR, one needs to tweak the jboss-service.xml file, living
inside the SAR archive, after the super-user password has been changed.
To make the pains even worse, I have several other services running on
JBoss which also depend on the directory. In order to enable
authorization of remote accesses to the directory without reverting to a
default, non-user-configurable super-user password, I have to unpack the
SAR, update the service configuration to include the updated password
and re-pack the SAR for all services during installation.
To fix this problem, IMHO there should be the option to let all in-VM
accesses by-pass authentication and authorization. In fact, I think this
should be the default way of operation, as cases, where in-VM
authorization is required, could be covered by using the standard
SecurityManager to force non-trusted accesses to use the non-local
interface.
This problem may be addressed already by the switch away from JNDI for
internal accesses. But while we're not there, I wonder whether there is
a work-around to get rid of the in-VM authentication requirement.
Oh, and while I'm already ranting... I wonder whether it is really
desirable to have a single hard-coded, catch-all super-user instead of
installing a few ACIs. WDYT?
Thanks
Joerg Henne
- Authentication and JBoss SAR Jörg Henne
-
